Remote VPN on ASA5540

Answered Question
Feb 9th, 2010

Here is the situation

I am slowly migrating from a Cisco VPN 3030 concentrator to a Cisco ASA5540

My L2L tunnels are coming along fine, but I am running into issues with the Remote VPN Clients attaching.

I have set up the AAA and this works correctly, as well as building the profile.  ( we use IPSec )

My issues are with the IP address Pool.   we are using a different set of ip address than the Concentrator.

I have set up the routing on the next hop inside to point to the ASA as the home of the Pool of ip address.

But,  I am not getting any through put.

I can attach to the ASA with a Remote Client it checks the Radius server, and all of the Authentication goes through.  But I can not access anything.

All trace routes for the IP address pool from inside the network point to the ASA. 

Is there something else I need to set up besides just assign the IP Address Pool?

any suggestion would be helpful

thanks

I have this problem too.
0 votes
Correct Answer by hdashnau about 6 years 10 months ago

Please rate the posts and mark the question as resolved.

Correct Answer by hdashnau about 6 years 10 months ago

The problem is not necessarily routing. Check the following other things:

1. Do you have nat exemption for the VPN pool (you need it)...If not youll see syslog messages about no translation group found and the traffic will be dropped. Assume your VPN pool is 172.16.4.0 255.255.255.255. You would add:

access-list nonat permit ip any 172.16.4.0 255.255.255.0

nat (inside) 0 access-list nonat

2. Do you have an access-group applied to the interface? Do a "show run access-group." If you have one applied make sure the access-list permits the traffic to the VPN client pool

3. If this is IPSec and either the client or the ASA is behind NAT, you need to have the following command:

isakmp nat-traversal

-heather

Please rate this post if it helped you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
johnd2310 Tue, 02/09/2010 - 20:15

Hi,

Sounds like a routing issue on the ASA. How have you set up the routing? Do you by any change have the "tunneled" command in your static routes.

Thanks

John

logan-7 Wed, 02/10/2010 - 05:19

here is what the route statements look like on the ASA

route outside 0.0.0.0 0.0.0.0 205.203.38.254 1
route inside 10.0.0.0 255.0.0.0 10.130.49.254 1
route inside 172.50.0.0 255.255.0.0 10.130.49.254 1
route inside 199.21.26.0 255.255.255.0 10.130.49.254 10
route inside 205.203.39.0 255.255.255.0 10.130.49.254 5
route inside 205.203.49.0 255.255.255.0 10.130.49.254 1
route inside 205.203.51.0 255.255.255.0 10.130.49.254 2
route inside 205.203.54.0 255.255.255.0 10.130.49.254 1
route inside 205.203.56.0 255.255.255.0 10.130.49.254 2
route inside 205.203.57.0 255.255.255.0 10.130.49.254 2
route inside 205.203.107.0 255.255.255.0 10.130.49.254 1
route inside 205.203.109.0 255.255.255.0 10.130.49.254 5
route inside 205.203.123.0 255.255.255.0 10.130.49.254 5
route inside 205.203.125.0 255.255.255.0 10.130.49.254 5
route inside 0.0.0.0 0.0.0.0 10.130.49.254 tunneled

johnd2310 Wed, 02/10/2010 - 15:46

Hi,

Try removing "route inside 0.0.0.0 0.0.0.0 10.130.49.254 tunneled" and see if it works.

Thanks

John

johnd2310 Thu, 02/11/2010 - 06:40

Hi,

Tunneled command is used if you do not have more specific routes to your "internal" network.  Encrypted traffic receive by the ASA for which there is no static or learned route is passed to the gateway with the IP address specified by the tunneled command. Your routing table shows you have puts static routes to your internal network, therefore, the ASA will use those and does not need the tunneled.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html

Thanks

John

Correct Answer
hdashnau Thu, 02/11/2010 - 07:38

The problem is not necessarily routing. Check the following other things:

1. Do you have nat exemption for the VPN pool (you need it)...If not youll see syslog messages about no translation group found and the traffic will be dropped. Assume your VPN pool is 172.16.4.0 255.255.255.255. You would add:

access-list nonat permit ip any 172.16.4.0 255.255.255.0

nat (inside) 0 access-list nonat

2. Do you have an access-group applied to the interface? Do a "show run access-group." If you have one applied make sure the access-list permits the traffic to the VPN client pool

3. If this is IPSec and either the client or the ASA is behind NAT, you need to have the following command:

isakmp nat-traversal

-heather

Please rate this post if it helped you.

logan-7 Fri, 02/12/2010 - 06:46

thanks

that did it.  my exempt NAT was backwards.

Appreciate all the help.

Correct Answer
hdashnau Fri, 02/12/2010 - 07:02

Please rate the posts and mark the question as resolved.

Actions

This Discussion